Abstract
This paper describes a new approach towards the detection of metamorphic computer viruses through the algebraic specification of an assembly language. Metamorphic computer viruses are computer viruses that apply a variety of syntax-mutating, behaviour-preserving metamorphoses to their code in order to defend themselves against static analysis based detection methods. An overview of these metamorphoses is given. Then, in order to identify behaviourally equivalent instruction sequences, the syntax and semantics of a subset of the IA-32 assembly language instruction set is specified formally using OBJ – an algebraic specification formalism and theorem prover based on order-sorted equational logic. The concepts of equivalence and semi-equivalence are given formally, and a means of proving equivalence from semi-equivalence is given. The OBJ specification is shown to be useful for proving the equivalence or semi-equivalence of IA-32 instruction sequences by applying reductions – sequences of equational rewrites in OBJ. These proof methods are then applied to fragments of two different metamorphic computer viruses, Win95/Bistro and Win9x.Zmorph.A, in order to prove their (semi-)equivalence. Finally, the application of these methods to the detection of metamorphic computer viruses in general is discussed.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Filiol, E.: Computer Viruses: from Theory to Applications, chapter 5, pp. 151–163. Springer, (2005). ISBN 2287239391
Filiol E., Helenius M., Zanero S. (2006) Open problems in computer virology. J. Comput. Virol. 1:55–66
Goguen, J. A., Malcolm, G.: Algebraic Semantics of Imperative Programs. Massachusetts Institute of Technology, (1996). ISBN 026207172X
Goguen, J. A., Walker, T., Meseguer, J., Futatsugi, K., Jouannaud, J-P.: Introducing OBJ. In: Joseph A. Goguen, Grant Malcolm, (eds.), Software Engineering with OBJ: Algebraic Specification in Action. Kluwer Academic Publishers, (2000) ISBN 0792377575
Intel Corporation: IA-32 Intel®cture Software Developer’s Manual, March 2006. http://www.intel.com/design/ pentium4/manuals/index_new.htm Accessed 21st June 2006.
Kaspersky Lab: Win95.Zmorph. http://www.avp.ch/avpve/ newexe/win95/zmorhp.stm. Accessed 22nd June 2006
Lakhotia, A., Mohammed, M.: Imposing order on program statements to assist anti-virus scanners. In: Proceedings of Eleventh Working Conference on Reverse Engineering. IEEE Computer Society Press, (2004)
José Meseguer and Grigore Roşu: The rewriting logic semantics project. In: Proceedings of Structural Operational Semantics 2005, Electronic Notes in Theoretical Computer Science. Elsevier, (2005). To appear. http://fm.cs.uiuc.edu/~grosu/download/sos05.pdf
Moinuddin Mohammed. Zeroing in on metamorphic computer viruses. Master’s thesis, University of Louisiana at Lafayette, (2003)
Peter Ször and Peter Ferrie. Hunting for metamorphic. In: Virus Bulletin Conference Proceedings, (2001)
Matt Webster: Algebraic specification of computer viruses and their environments. In: Peter Mosses, John Power, Monika Seisenberger, (eds.), Selected Papers from the First Conference on Algebra and Coalgebra in Computer Science Young Researchers Workshop (CALCO-jnr 2005). University of Wales Swansea Computer Science Report Series CSR 18-2005, pp. 99–113, 2005. http://www.csc.liv.ac.uk/~matt/.
In Seon Yoo, Ulrich Ultes-Nitsche: Non-signature based virus detection: Towards establishing a unknown virus detection technique using SOM. J. Comput. Virol. 2(3), (2006)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Webster, M., Malcolm, G. Detection of metamorphic computer viruses using algebraic specification. J Comput Virol 2, 149–161 (2006). https://doi.org/10.1007/s11416-006-0023-z
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-006-0023-z